How Egypt did (and your government could) shut down the Internet

Ars looks at how Egypt "turned off" the Internet within its borders and …

How hard is it, exactly, to kill the Internet? Egypt seems to have been able to do it. But Egypt's situation isn't exactly the same as that in the Western world. And even though Egypt only has four big ISPs, the fact that everything went down after midnight local time suggests that it took considerable effort to accomplish the 'Net shut-off. After all, it seems unlikely that President Hosni Mubarak ordered the Internet to be shut down as he went to bed; such a decision must have been made earlier in the day, and then taken hours to execute.

Also, the fact that such a drastic measure was deemed necessary may indicate that more targeted measures, such as blocking Twitter, didn't get the job done. This nuclear option—see below—was intended to make online coordination of anti-government action impossible; at the same time, the mushroom cloud may give protesters hope that their efforts are not in vain. As one blogger writes: "It's as if the regime has done the information aggregation for you and packaged it into a nice fat public signal."

Cables and routing

But back to the "how," and "would this also work in a Western democracy?"

The easiest way to disconnect a country from the Internet is to cut the cables that leave the country. Egypt has a bunch of sea cables that go across the Mediterranean to Italy, and a few others that visit other Mediterranean destinations. Other cables run through the Red Sea towards east Africa and in the direction of India and beyond.

I haven't seen any maps with cables that cross the border toward neighboring countries—it's much easier to pull fiber through the sea than through the desert. Interestingly, it doesn't look like the connections that run through Egypt have been affected. This traffic typically traverses the country without ever leaving the fiber, so it remains oblivious to the turmoil going on in Egypt. The fact that traffic between Europe and Asia is unaffected means the fiber optic cables themselves weren't cut.

The only thing we know for sure is that quite suddenly, almost all the Egyptian IP address ranges fell off the 'Net, as reported by Renesys. The Renesys post talks about BGP prefixes disappearing. That could be either cause or effect. A prefix is simply BGP-talk for a range of IP addresses. For instance, the range 192.0.2.0-192.0.2.255 is the prefix 192.0.2/24. The number after the slash indicates how many bits are part of the prefix. The remaining bits are to be filled in later. BGP, the Border Gateway Protocol, is a routing protocol that is used between the routers on either side of the border between two ISPs—"gateway" is an old-fashioned word for "router."

What BGP does is "advertise" the local address prefixes to neighboring networks. Wholesale ISPs propagate their customer's advertisements to their neighbors so that eventually all ISPs know all other ISPs' prefixes. This enables routers to know where to send packets with a given destination address. The 3,500 Egyptian prefixes are now no longer advertised, so they're missing from the routing tables of BGP routers around the world. This means that routers no longer know where to send packets addressed to IP addresses that fall within these prefixes—even if all the cables are still working fine.

However, it seems unlikely that the Egyptian ISPs removed 3,500 prefixes, if only because that means removing 3,500 lines from router configurations. Usually, two or three routers advertise a prefix—more is overkill, but less is dangerous because if the advertising routers go down, the addresses fall off of the 'Net. An easier way would be to make a filter that simply doesn't allow any outgoing BGP advertisements.

It could also be that the big "border" routers that the Egyptian ISPs use to connect to ISPs in Italy and elsewhere were disconnected or turned off. This works well in a relatively small country with only a few ISPs.

When the border routers are turned off or lose their connection to the outside world, an ISP's network becomes isolated from the rest of the world. However, that doesn't necessarily mean local connectivity is disrupted. Egypt has an Internet exchange, and many ISPs have direct interconnections. The connections between different ISPs are also governed by BGP, which requires extensive manual configuration. Disrupt the border routers, or the fibers that BGP knows about, and two ISPs can't exchange traffic anymore.

Breaking international connections wouldn't necessarily kill the connectivity between the four large Egyptian ISPs—that would require a separate action. But in a country like Egypt, with one very large city and a handful of ISPs, that number of connections between ISPs should be fairly small and therefore easy to disrupt. This is especially the case of an Internet exchange: just turn off the exchange's Ethernet switches.

Within an ISP's network, the routing protocols IS-IS and OSPF are used. Unlike BGP, IS-IS and OSPF don't require much, if any, configuration. They will simply make use of any connectivity that's available and automatically advertise address blocks within the local network. To really make it impossible for any two users of the same ISP to talk to each other, it's necessary to shut down—or at least disable the routing protocols—on every router.

Of course just being able to talk to people that are connected to the same ISP as you isn't that useful—especially if there's no DNS. Turns out that there are three DNS root servers in Egypt, so there is a possibility that they could keep internal connectivity going without relying on the outside world. The root servers are the first step in resolving domain names into IP addresses. The next step is talking to a top level domain server, and finally talking to the DNS server of the domain in question. So this only works for top level domains and domain names for which the nameservers are located within the country. The three nameservers for Egypt's .eg top level domain are located in Vienna, Seattle, and Cairo. For any content hosted within the country, it would make sense for the DNS servers to be located in Egypt, too.

But obviously, keeping local connectivity up and running would defeat the purpose. Unlike BGP and IS-IS/OSPF, the DNS in general, and root servers in particular, provides a nice central place where it's easy to disrupt the network. In the case of the US or Europe, that wouldn't be as easy, because both have dozens of root servers, and they're run by 13 different organizations.

If the DNS is still working to some degree, it's also necessary to get packets from one ISP to another. Egypt has an Internet exchange in Cairo. It's unclear whether the four big ISPs in Egypt connect with each other through that exchange, but generally ISPs don't like to use international connections for national traffic. So it's likely that they interconnect in or around Cairo.

Could this happen elsewhere?

Like in Egypt, in Europe almost all interconnection happens in the capitals of the countries involved. Not so in the US: because the country is so large, and traffic volumes are so high, large networks may interconnect in as many as 20 cities. Numerous intercontinental sea cables land in the Boston, New York, Washington DC, Miami, Los Angeles, and Seattle regions. So in Egypt or many medium-sized countries, killing the connections between ISPs wouldn't be too hard. In the US, this would be quite difficult.

Assuming someone in high places has an Internet kill switch, shutting down just the international connections would require a lot of manual work, or the preexistence of an infrastructure that can make this happen automatically through management protocols. Of course such a system would never be triggered by accident or by a disgruntled employee.

The old story that the Internet was built as a military network to withstand nuclear attacks is pretty much an urban legend, but despite that, it's surprisingly hard to kill. It can be done, however, if you're a government and you try really, really hard.

Iljitsch van Beijnum
Iljitsch is a contributing writer at Ars Technica, where he contributes articles about network protocols as well as Apple topics. He is currently finishing his Ph.D work at the telematics department at Universidad Carlos III de Madrid (UC3M) in Spain. Emaililjitsch.vanbeijnum@arstechnica.com//Twitter@iljitsch

Skynet wouldn't have let Egypt "fall off"... We simply need to create an internet so powerful and self-aware, that it will happily do everything it can to keep itself running just for our happiness. There's no way it would go out of control...

You should add, that - at least to some sources - not all egyptian networks are affected. It's said "Noor Data Networks" still is on the net. It seems they run the egyptian stock exchange. There's no knowing if this is deliberate. But assuming so, it shows there's more thought in the blockage than it seems.

The old story that the Internet was built as a military network to withstand nuclear attacks is pretty much an urban legend

Internet is based on DARPA Net which was very clearly built the whistand nuclear attacks. We've read the science papers in class that calculated the resilience of a network in nodes/city/warhead ratios.

The Internet itself might not be designed to be nuclear proof but the basic concepts of de-centralized, no single point of failure which made DARPA Net nuclear proof still hold up woth the current implementation of the Internet.

A statement issued by Vodafone Egypt said it had been instructed to suspend services in some areas."Under Egyptian legislation the authorities have the right to issue such an order and we are obliged to comply with it," it said.

You should add, that - at least to some sources - not all egyptian networks are affected. It's said "Noor Data Networks" still is on the net. It seems they run the egyptian stock exchange. There's no knowing if this is deliberate. But assuming so, it shows there's more thought in the blockage than it seems.

Something about 8% of traffic was still up and running w/o interruptions of which I'm assuming would probably be for things like what you mentioned, the Stock Exchange, and then the government and military and those that are in charge of security, both border and internal.

If you tried this in the USA, you'd soon see long range ad hoc wireless networks popping up everywhere, and an alternative to DNS established...

Long range to the rest of the world? I'd be impressed to see that one.

You dont think that any US government who would switch off the Internet wouldnt jam the wireless frequencies as well? No...ofcourse not, they're stupid, right?

Why did Ars even make this a topic? A watchful citizenry is great and all, but it seems like some despotic government starts pulling shit, and the next thing we see is articles like this on ArsWiredica trying to twist this into how the U.S. would do the same thing.

You should add, that - at least to some sources - not all egyptian networks are affected. It's said "Noor Data Networks" still is on the net. It seems they run the egyptian stock exchange. There's no knowing if this is deliberate. But assuming so, it shows there's more thought in the blockage than it seems.

I say that global DNS servers should start dropping packets from Noor's network, effectively cutting off the Egyption stock market from the rest of the world. Let 'em sweat THAT out for a few days and see how trigger-happy they are.

If you tried this in the USA, you'd soon see long range ad hoc wireless networks popping up everywhere, and an alternative to DNS established...

Long range to the rest of the world? I'd be impressed to see that one.

You dont think that any US government who would switch off the Internet wouldnt jam the wireless frequencies as well? No...ofcourse not, they're stupid, right?

Why did Ars even make this a topic? A watchful citizenry is great and all, but it seems like some despotic government starts pulling shit, and the next thing we see is articles like this on ArsWiredica trying to twist this into how the U.S. would do the same thing.

If you tried this in the USA, you'd soon see long range ad hoc wireless networks popping up everywhere, and an alternative to DNS established...

Long range to the rest of the world? I'd be impressed to see that one.

You dont think that any US government who would switch off the Internet wouldnt jam the wireless frequencies as well? No...ofcourse not, they're stupid, right?

Jamming is not as easy as you think, especially if the actual traffic is digital rather than analog.

And it may have escaped your notice, but there are two other nations jammed right up against the USA, plus several within a few hundred miles of Florida. It only takes a couple of guys with Cantennas in Seattle, New York, Brownsville, and San Diego to connect our ad hoc wireless network back to the rest of the world.

Why did Ars even make this a topic? A watchful citizenry is great and all, but it seems like some despotic government starts pulling shit, and the next thing we see is articles like this on ArsWiredica trying to twist this into how the U.S. would do the same thing.

The reason that they mention it is to dispel the notions that some commenters in similar articles have put out.

That aside, Am I the only one that thinks that Iljitschs stories are the cream of the crop on Ars these days?

If you tried this in the USA, you'd soon see long range ad hoc wireless networks popping up everywhere, and an alternative to DNS established...

Long range to the rest of the world? I'd be impressed to see that one.

You dont think that any US government who would switch off the Internet wouldnt jam the wireless frequencies as well? No...ofcourse not, they're stupid, right?

Jamming is not as easy as you think, especially if the actual traffic is digital rather than analog.

And it may have escaped your notice, but there are two other nations jammed right up against the USA, plus several within a few hundred miles of Florida. It only takes a couple of guys with Cantennas in Seattle, New York, Brownsville, and San Diego to connect our ad hoc wireless network back to the rest of the world.

If you tried this in the USA, you'd soon see long range ad hoc wireless networks popping up everywhere, and an alternative to DNS established...

What makes you think that this isn't happening in Egypt right now? Egyptian hackers are likely as good as American hackers when it comes to wireless if not better due to necessity: their wired infrastructure sucks.

You dont think that any US government who would switch off the Internet wouldnt jam the wireless frequencies as well? No...ofcourse not, they're stupid, right?

As Old Man Dote said, you seem to have given very, very little thought to how jamming actually needs to work or does work in practice. It's not a matter of stupidity, it's a matter of physics, particularly the inverse square law. Serious, constant jamming capable of preventing multispectral digital transmissions against an area the size of the United States? Nope.

Eh...long range wireless would have to use a specific frequency because the equipment can only handle certain frequencies therefore jamming is very, very easy actually.

There is plenty of equipment that can be configured to handle a wide array of frequencies, it's just that there are legal restrictions on it because most frequencies are not for public use. You're positing a situation where, by definition, no one is particularly concerned anymore with following the law.

Additionally, point-to-point networks can use significantly more power even at normal frequencies, or could just go directly to optical connections. Good luck interfering with that.

A friend of mine is in the oil patch just outside of Aswan Dam, and he said the rumor around there is Mubarak will be letting go of power in two days. So the net will be back shortly, I hope.The net is only down in the major cities tho, because we use skype and I talked to him this morning., so I don't know where this info of all of Egypt is down is coming from. Egyptians are mostly poor even the ones with a degrees. My friends driver is a lawyer , the maids and people in the 5 star hotels are very well educated, there just isn't any work in their fields.

Cutting down international pipelines, an entire country without internet, shutting down routers... welcome to sensationalist press. What a waste of what could have been a perfectly good 5 minutes of my life.

But I understand. It's all in the tile. Crap like this calls a lot more attention and draws more ad revenue that simply stating that this was an order issued to the country major ISPs and that it doesn't even affect the entire country, but just and mostly urban areas.

Cutting down international pipelines, an entire country without internet, shutting down routers... welcome to sensationalist press. What a waste of what could have been a perfectly good 5 minutes of my life.

But I understand. It's all in the tile. Crap like this calls a lot more attention and draws more ad revenue that simply stating that this was an order issued to the country major ISPs and that it doesn't even affect the entire country, but just and mostly urban areas.

I'm sorry you find yourself offended and that you wasted five minutes of your life by reading this article.